X-Git-Url: https://vcs.fsf.org/?a=blobdiff_plain;f=include%2Finit.php;h=09e08866dd5f1432aa8b0a73256c74af42ab6d2b;hb=825a88dd5413cbf683d9c34a51fff87dfc250a65;hp=eb5336537b8b8486fb4cc736edc2817727762792;hpb=3f55fe04a3f2093e0dc89b83fb3b3c42b16000cd;p=squirrelmail.git diff --git a/include/init.php b/include/init.php index eb533653..09e08866 100644 --- a/include/init.php +++ b/include/init.php @@ -5,7 +5,7 @@ * * File should be loaded in every file in src/ or plugins that occupate an entire frame * - * @copyright 2006-2012 The SquirrelMail Project Team + * @copyright 2006-2015 The SquirrelMail Project Team * @license http://opensource.org/licenses/gpl-license.php GNU Public License * @version $Id$ * @package squirrelmail @@ -274,20 +274,20 @@ if (function_exists('get_magic_quotes_gpc') && @get_magic_quotes_gpc()) { * or * contrib/decrypt_headers.php/%22%20onmouseover=%22alert(%27hello%20world%27)%22%3E * because it doesn't bother with broken tags. - * htmlspecialchars() is the preferred method. + * sm_encode_html_special_chars() is the preferred method. * QUERY_STRING also needs the same treatment since it is * used in php_self(). * Update again: the encoding of ampersands that occurs - * using htmlspecialchars() corrupts the query strings + * using sm_encode_html_special_chars() corrupts the query strings * in normal URIs, so we have to let those through. FIXME: will the de-sanitizing of ampersands create any security/XSS problems? */ if (isset($_SERVER['REQUEST_URI'])) - $_SERVER['REQUEST_URI'] = str_replace('&', '&', htmlspecialchars($_SERVER['REQUEST_URI'])); + $_SERVER['REQUEST_URI'] = str_replace('&', '&', sm_encode_html_special_chars($_SERVER['REQUEST_URI'])); if (isset($_SERVER['PHP_SELF'])) - $_SERVER['PHP_SELF'] = str_replace('&', '&', htmlspecialchars($_SERVER['PHP_SELF'])); + $_SERVER['PHP_SELF'] = str_replace('&', '&', sm_encode_html_special_chars($_SERVER['PHP_SELF'])); if (isset($_SERVER['QUERY_STRING'])) - $_SERVER['QUERY_STRING'] = str_replace('&', '&', htmlspecialchars($_SERVER['QUERY_STRING'])); + $_SERVER['QUERY_STRING'] = str_replace('&', '&', sm_encode_html_special_chars($_SERVER['QUERY_STRING'])); $PHP_SELF = php_self();